Patch against OpenSSH 9.6 or greater
elluisian opened this issue · 4 comments
Hi, asking for an enhancement, or better, to fix an important vulnerability.
As you may know, some time ago a new vulnerability named Terrapin has been discovered on SSH implementations (https://terrapin-attack.com/), but the newest hpn-ssh is still based upon OpenSSH 9.5p1 which, as far as I know, is still affected by the problem.
Please, whenever possible, update the patches so that hpn-ssh is safe from that vulnerability.
Thanks for the hard work anyway.
Thank you @dave-re-imprivata, I noticed that it is still work in progress only after creating the issue. My bad for wasting your time.
It can be closed if you think so.
Again my bad.
Hey there. We are working on it but we've come across a regression in our code. It seems that a chance exists for the connection to enter in to a pathological state when transferring data to an HPN server from an SSH client more recent than 8.8p1. I have a fix in place but it involves limiting the advertised receive window in SSH->HPN connections. I'm not happy about doing that so I'm looking for other ways of mitigating this issue. I hope to have an effective fix out soon but please be assured that I am working on it.
Buffer management is hard. :|
Thank you for your answer @rapier1, not a problem at all, as already stated, I'm sorry I didn't check the discussions BEFORE posting this issue, had I known, I wouldn't have opened it.
Since I'm still a beginner developer I can only imagine that it is indeed something difficult you're dealing with, so do not worry, take your time and keep up the good work!